Author: geoff
Date: 2009-05-11 09:01:24 +0200 (Mon, 11 May 2009)
New Revision: 3313
Modified:
trunk/openvas-compendium/ChangeLog
trunk/openvas-compendium/openvas-compendium.tex
Log:
Edited "What is a Signature" section for grammar and flow.
Modified: trunk/openvas-compendium/ChangeLog
===================================================================
--- trunk/openvas-compendium/ChangeLog 2009-05-11 06:41:11 UTC (rev 3312)
+++ trunk/openvas-compendium/ChangeLog 2009-05-11 07:01:24 UTC (rev 3313)
@@ -1,3 +1,8 @@
+2009-05-11 Geoff Galitz <geoff at galitz.org>
+
+ * openvas-compendium.tex: Edited "What is a Signature" section
+ for grammar and flow.
+
2009-05-07 Geoff Galitz <geoff at galitz.org>
* openvas-compendium.tex: Edited "Performaing a synchronization
Modified: trunk/openvas-compendium/openvas-compendium.tex
===================================================================
--- trunk/openvas-compendium/openvas-compendium.tex 2009-05-11 06:41:11 UTC (rev 3312)
+++ trunk/openvas-compendium/openvas-compendium.tex 2009-05-11 07:01:24 UTC (rev 3313)
@@ -896,25 +896,22 @@
\subsection{What is a Signature?}
A clever method is applied to compute a unique checksum for a file. If only a
-single character in the file changes, the checksum will change as well. This
+single character in the file changes, the checksum changes as well. This
checksum is digitally signed in a way that you can test with a public
certificate whether a certain key was used to create the signature. Such a key
-and certificate do always form a pair that relates them to each other. If the
+and certificate always form a pair. If the
signed file has been modified by a third party, the signature will be broken. In
-this case you should not trust the file.
+this case the file should be considered compromised or corrupt.
-If the signature is not broken, the question remains if you trust the owner of
-the key. If you decided to do so (and there any many ways and supporting
-technologies to manage this), you can accept the file as trustworthy.
+If the signature is verified, you must still determine if you trust the
+provider of the NVT file(s) and keys. There are many ways and tools to manage this.
-In other words, the checksum ensures the integrity of the file and will change
-if the file was changed between the NVT feed server and your system. The
-signature on the other hand indicates the authenticity of the file -- by
-signing the checksum, the manager of the Feed Service signifies that the file
-available from the feed server has been tested and is authentic.
+In summary, an NVT file is paired with a singature (in a seperate signature
+file) and that pair then has a checksum computed. The checksum verifies the
+integrity of the NVT file. If the checksum does not match
+the expected result, the NVT file should be considered untrustworthy.
-This way you can verify that the file in your possession is indeed the same
-file that was tested by the feed manager. It is your responsibility to verify
+It is your responsibility to verify
that the manager of the Feed Service is indeed the person he or she claims to
be and to make sure the tests performed by this person are sufficient for you.